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Introduction 


The Freedom of Information Act 2000 (FOIA) and the Environmental 
Information Regulations 2004 (EIR) give the public rights to access 
information held by public authorities. 


An overview of the main provisions of FOIA and the EIR can be found in 
The Guide to Freedom of Information and The Guide to the Environmental 


Information Regulations. 


This is part of a series of guidance, which goes into more detail than the 
guides, to help public authorities to fully understand their obligations and 
promote good practice. 


This guidance explains in more detail how to apply FOIA exemptions and 
EIR exceptions relating to personal data. It therefore refers to the 
processing of personal data in accordance with the UK General Data 
Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). 
It is a guide to our general recommended approach, although decisions 
will always be made on a case by case basis. 


The DPA and UK GDPR set out the UK data protection regime. The DPA 
also sets out separate data protection rules for the processing of personal 
data by competent authorities’ for law enforcement purposes (DPA Part 
3); and for processing by the intelligence services (DPA Part 4). For more 
information see our Guide to Data Protection. 


This guidance is based on precedents established under the Data 
Protection Act 1998 (DPA98). It will be regularly reviewed and kept in line 
with new decisions of the Information Commissioner, tribunals and courts. 
Additional guidance is available on our guidance pages. 


1 A competent authority for the purposes of law enforcement means a person specified in 
Schedule 7 of the DPA and any other person if, and to the extent that, the person has 
statutory functions to exercise public authority or public powers for the law enforcement 
purposes. 


Overview 


e If a requester submits a freedom of information (FOI) or EIR 
request for someone else’s personal data, and that other person 
(the ‘data subject’) does not have the right to obtain it 
themselves because of a data protection exemption, then the 
information may be exempt from disclosure. 


e The relevant FOI/EIR exemptions are divided into separate parts, 
relating to the nature of the data processed. For example, there 
is one exemption for data processed for law enforcement 
purposes, another for intelligence services processing (EIR only) 
and a different exemption for general UK GDPR processing. 


e These are all qualified exemptions which require you to carry out 
a public interest test. You must release the information unless 
the public interest in maintaining the exemption outweighs the 
public interest in disclosure. 


e You must therefore consider the following: 

o Is the information personal data that relates to someone 
other than the individual making the FOI/EIR request? 

o What is the nature of the processing and do any relevant 
data protection exemptions apply to the data subject’s 
right of access? 

o If an FOI/EIR exemption is engaged, what is the balance of 
the public interest test? 


e The main public interest arguments for maintaining the 
exemption are: 
o protecting the interests identified in the relevant data 
protection exemption; and 
o protecting the privacy of the data subject. 


e You must balance these against the general public interest in 
transparency and accountability and any specific public interest 
in disclosing the information. 


e If you consider the personal data to be exempt from the subject 
access right, it is likely that disclosure also contravenes data 
protection principle (a). The request may therefore fall under a 
different exemption - FOIA section 40(3A) or EIR regulation 
13(2A). You may wish to consider this other exemption first as it 


does not involve a public interest test. 


What do FOIA and the EIR say? 


Section 40 of FOIA provides an exemption from the right to information if 
it is personal data as defined in the DPA. 


The EIR contains an equivalent exception. This is set out in regulations 
5(3), 12(3) and 13. 


These state that you should not disclose information under FOIA or the 
EIR if: 


e itis the personal data of the requester; or 

e itis the personal data of someone else; and 
o disclosure contravenes the data protection principles; 
o disclosure contravenes an objection to processing; or 
o the data is exempt from the right of subject access. 


FOIA and the EIR provide an exemption for personal data if the requested 
data is exempt from disclosure under a subject access request. Therefore, 
if you would not give a copy of the requested data under the UK GDPR or 
the DPA to the data subject, in most circumstances you should also not 
give the data to a third party making an FOI or EIR request. 


FOIA and the EIR personal data exemptions about another person’s 
subject access rights are divided into separate parts, depending on the 
nature of the data processed. For example, there is: 


e an FOI/EIR exemption where the data subject has a right of access 
to data processed under the UK GDPR (‘general processing’); 


e an FOI/EIR exemption relating to a data subject’s right of access to 
data processed for law enforcement purposes; and 


e an EIR exception for intelligence services processing. 


The different FOI and EIR exemptions are listed in the table below: 


Type of data processed FOIA section EIR regulation 


General processing under the 40(2) with 13(1)(b) with 13(3A)(a) 
UK GDPR 40(4A)(a) 
Processing for law 40(2) with 13(1)(b) with 13(3A)(b) 
enforcement purposes 40(4A)(b) 
Intelligence services None 13(1)(b) with 13(3A)(c) 
processing 


These are all qualified exemptions, which means they are subject to a 
public interest test. If the public interest test favours disclosure, you may 
disclose the information — as long as you have also concluded that 
disclosure is not in contravention of the principles. 


You should consider three main issues in order to decide whether 
information is exempt: 


e Is the information personal data that relates to someone other than 
the requester? 


e What is the nature of the processing and do any relevant data 
protection exemptions apply to that other individual’s right of 
subject access? 


e If one of these exemptions is engaged, what is the balance of the 
public interest test? 


These issues are discussed in more detail below. 


Personal data 


You must first establish that the information in question constitutes 
personal data, within the meaning of the DPA. Our guidance What is 
personal data? explains the definition of personal data. 


Secondly, the personal data must relate to someone other than the 
requester. 


If the information is the requester’s personal data, it is exempt under 
section 40(1) of FOIA, or under regulation 5(3) of the EIR, and you are 
under no obligation to make it available. Instead, the individual has the 
right to make a data protection subject access request in order to obtain 
their own data. 


You must therefore handle a request for the requester’s personal data as 
a subject access request under the UK GDPR or the DPA, as applicable. 


Further information about how to deal with a subject access request is 
available in our UK GDPR guidance Right of access and in our law 
enforcement guidance The right of access. 


Even if this right is limited by a data protection exemption, a requester 
still cannot use FOIA or the EIR as an alternative route to obtain their 
personal data. They simply cannot request their own personal data under 
FOIA or the EIR and the exemption is absolute. 


You must comply with the subject access request without undue delay 
and in any event within one month of receipt of the request. Strictly 
speaking, however, the time limits of FOIA and the EIR still apply, and 
you are still technically required to issue a refusal notice even though you 
do not have to confirm or deny whether you hold the information. 


Therefore, for practical purposes when a subject access request has been 
made as an FOI or EIR request, you should respond within 20 working 
days or else explain within this time limit that you are dealing with the 
request under the UK GDPR or the DPA. 


Information exempt from the data subject’s right of access 


If the information is the personal data of someone other than the 
requester, you must consider whether that other individual (the data 
subject) has the right to obtain the data if they submitted a data 
protection subject access request. You must therefore consider whether 
the personal data would be exempt from disclosure to the data subject if 
they asked for a copy. 


The data subject has the right of subject access under different provisions 
of the UK GDPR or the DPA, depending on the nature of the data: 


Type of data processed Right of subject access 
General processing under the UK GDPR Article 15 
UK GDPR 
Processing for law DPA Part 3 Chapter 3 
enforcement purposes section 45 
Intelligence services DPA Part 4 Chapter 3 
processing section 94 


However, there are exemptions to the subject access right. These relate 
to the nature of the personal data and the reasons why you are holding 
and processing it. You can find them in various locations in the DPA: 


Type of data Exemptions from the right of 
processed subject access 


Under the UK GDPR | Section 26, and schedules 2, 3 and 4 
(general processing) | of the DPA. 


For law enforcement | Section 45(4) of Part 3 of the DPA. 
purposes (under 
DPA Part 3) 


For intelligence Part 4 Chapter 6 of the DPA. 
services purposes 
(under DPA Part 4) 


There is further information on how the right of access may be restricted 
with respect to law enforcement processing in our guidance The right of 
access. 


You can find further information on general UK GDPR exemptions in our 
guidance to the data protection exemptions. 


You must check the wording of any exemption carefully to establish 
whether it does apply to the right of access. 


The relevant exemptions relate to a number of areas including: 


crime and taxation; 

regulatory activity; 

research; 

legal professional privilege; and 
the awarding of honours. 


In the following example, the data protection exemption applied because 
the personal data had been processed for a particular purpose - the 
conferring by the Crown of an honour. 


Other exemptions in the DPA may be worded differently and only apply if 
the information is processed for certain purposes and if giving it to the 
data subject would prejudice these. 


This can be seen in Schedule 2 Part 1, paragraph 2 of the DPA. It states 
that personal data processed for certain listed crime and taxation 


purposes is exempt from the right of access provisions to the extent that 
“the application of those provisions would be likely to prejudice” any of 
the purposes. 


You must therefore consider on which basis each DPA exemption applies. 


Example 


Under FOIA a requester asked for information about the 
Government’s reasons for awarding a CBE to a named 
individual.? The Cabinet Office refused the information under 
FOIA section 37(1)(b) (information about “the conferring by 
the Crown of any honour or dignity”) and also under the 
section 40 exemption from the right of subject access. 


The Commissioner considered some information under FOIA 
section 37(1)(b) and then the remainder under section 40. 


With respect to section 40, the Commissioner found that the 
requested information was exempt from the right of subject 
access. The exemption states that the recipients of honours do 
not have the right to obtain detailed information about the 
reasons for their award (the honours exemption). Therefore if 
the data subject made a subject access request for this data, 
they would not obtain a copy. 


As the section 40 exemption was engaged, the Commissioner 
then conducted a public interest test. He concluded that the 
public interest in the maintenance of the exemption did not 
outweigh the public interest in disclosure. 


In this case, although the exemption was engaged, the 
Commissioner ordered the information to be disclosed 
following the consideration of the public interest test. 


The criterion for engaging the exemption in FOIA section 40(4A) and the 
EIR regulation 13(3A) is that, because of a DPA exemption, the data 
subject does not have the right to obtain the same information 
themselves. 
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To engage the exemption it is not necessary for the data subject to have 
submitted a subject access request and to have been refused. The 
exemption can also be engaged even if the data subject has received the 
information. The data protection exemptions allow the controller to 
withhold information from a data subject’s request. However, they do not 
prohibit the controller from releasing the information to them. As such, a 
controller may exercise its discretion to give the information to the data 
subject, even though they did not have the right to obtain it. 


Example 


Under FOIA, a requester asked the Cabinet Office for 
information about an undertaking given by Lord Ashcroft as a 
condition of his receiving a peerage.? The undertaking 
concerned his residence in the United Kingdom. 

The information was exempt from the data subject’s right of 
access under the DPA honours exemption. 


However, the Cabinet Office confirmed that it had in fact 
already given the information to Lord Ashcroft. 


Nevertheless, the Commissioner accepted that the section 40 
exemption was still engaged because the Cabinet Office could 
have refused a subject access request - because of a data 
protection exemption. The Cabinet Office had exercised its 
discretion and Lord Ashcroft had not received his information 
because he had a right to it. 


The discretionary provision of the information in this case 


therefore did not alter the application of the section 40 
exemption which is concerned with the data protection subject 
access right to the information. 


The Commissioner then went on to consider the public interest 
test under FOIA. 


Manual unstructured data held by FOI public authorities 


Another exemption from the data subject’s right of access concerns data 
relating to personnel matters which you might hold in paper form as 
manual unstructured data. 
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This is hard-copy personal data which is held on paper, but not in any 
organised structure. It is not held in a filing system and is not intended to 
form part of a filing system. The data cannot therefore be easily accessed 
with reference to an identifier such as a year or name. 


A data subject can make a subject access request to a public authority for 
this data. However, under section 24(3) of the DPA, the data protection 
right of access does not apply to manual unstructured data if it relates to 
personnel matters in connection with service in the armed forces, or 
service in any office or employment under the Crown or under any public 
authority. This includes data relating to: 


e appointments; 

e removals; 

e pay; 

e discipline; 

e superannuation; or 

e other personnel matters. 


Therefore, if you hold personnel data about an employee in hard copy and 
it is not in a relevant filing system, then that employee does not have the 
right to obtain it under data protection legislation. 


This means that if someone else requested it under FOIA, the exemption 
in FOIA section 40(4A) would be engaged. 


The public interest test 


The need for a public interest test 


FOIA section 40(4A) is not an absolute exemption given in section 2(3) 
FOIA and is therefore a qualified exemption. Having established that it is 
engaged, you must go on to consider the public interest test. 


You can only withhold the information if the public interest in maintaining 
the exemption outweighs disclosure. If it does not, then you must disclose 
the information. 


It may seem odd that the FOI exemption is subject to the public interest 
test, since it means that there can be cases where personal data is 
disclosed in response to a FOIA request from a third party, even though 
the subject of that data could not obtain it themselves. 


However, the fact that section 40(4A) is a qualified exemption allows for 
the public interest to be taken into account. You must balance the interest 
that the data protection exemption protects against the public interest in 
transparency. 


The data protection exemptions that prevent the data subject from 
obtaining their own data protect certain interests, such as crime 
prevention or legal professional privilege. The DPA says that the 
importance of protecting those interests takes precedence over the right 
of data subjects to access their own data. 


FOIA is about whether information should be disclosed to the world. 
Therefore, when a third party submits an FOI request for personal data 
that engages section 40(4A), you must weigh the interest that the data 
protection exemption protects against the public interest in transparency 
and accountability. Making this a qualified exemption means that the 
public interest must be recognised. 


This is an established principle under the EIR. Regulation 13(1)(b) 
explicitly states that the regulation 13(3A) exemption (where the 
requested data is exempt from disclosure under a subject access request) 
requires a public interest test. 


Public interest in maintaining the exemption 


The public interest arguments for maintaining the section 40(4A) 
exemption and the EIR 13(3A) regulation relate to two main issues: 


e Protecting the interest identified in the DPA exemption. 


e Protecting the privacy of the data subject. 


Protecting the interest identified in the DPA exemption 


The exemptions from the right of access in the DPA protect specified 
interests such as the: 


e prosecution of offenders; 
e confidentiality of the honours system; or 
e intentions of a party in negotiations. 


Under the DPA, the importance of protecting these interests can take 
precedence over the right of a data subject to access their personal data. 
This implies that there is also a public interest in protecting these 
interests. You should take this into account as an argument for 
maintaining the exemption, when carrying out the public interest test. 


In doing so, it is important you are aware of the wording of the particular 
exemption: 


e Some of the DPA exemptions apply because the personal data has 
been processed for a particular purpose. This is similar to an FOI 
class-based exemption. For example, the crown honours, dignities 
and appointments exemption falls into this category. 


e Other DPA exemptions apply because giving a copy of the data to 
the data subject prejudices the purpose that the exemption 
protects. When considering the public interest argument for 
maintaining the exemption, you must therefore judge how far 
disclosure under FOIA prejudices that purpose. This is similar to an 
FOI prejudice-based exemption. For example, the crime and 
taxation exemption falls into this category. 


Protecting the privacy of the data subject 


The need to protect the data subject’s privacy is also an issue in the 
public interest test. There is an argument that the data subject’s privacy 
is affected if they only see their personal data when it is released to the 
world under FOIA. 


Furthermore, the fact that the data subject may be prevented from 
accessing their personal data under the DPA may indicate that there is an 
issue about the data subject’s privacy. 


For example, the exemption in Schedule 2 Part 1 paragraph 2(1)(b) of the 
DPA relating to the apprehension or prosecution of offenders, may be 
relevant if the data subject is a suspect in a criminal investigation. 
Disclosing this to the world under FOIA may affect the data subject’s 
privacy, apart from any effect it may have on the investigation. This is a 
public interest argument for maintaining the exemption which is separate 
from the argument about the need to safeguard criminal investigations. 


Engaging the section 40(4A) or regulation 13(3A) exemption does not 
depend on whether or not a data subject has submitted a subject access 


request that has been refused. The exemption depends on whether they 
have the right under DPA to obtain their data. However, if you have 
refused a subject access request because of a DPA exemption, this will 
add weight to the public interest argument for maintaining the section 
40(4A) or regulation 13(3A) exemption. 


Balancing the public interest arguments 


You must balance the public interest arguments for maintaining the 
exemption against the general public interest in transparency and 


accountability, as well as any arguments about why disclosing the 
information is in the public interest. The relative weight of the arguments 
on each side depends on the circumstances of the case. Our guidance 
document on the public interest test includes advice on attaching weight 
to these arguments. 


You must disclose the information unless the public interest in 

maintaining the exemption outweighs the public interest in disclosure. The 
following is an example of how the Commissioner has carried out the 
public interest test in such a case: 


Example 


The requester asked the Home Office for information about an 
honour awarded to a named person.* The Home Office 
withheld the requested information under FOIA, arguing that it 


concerned the conferring of honours and was exempt under 
the subject access right. 


In the decision notice, the Commissioner first considered the 
public interest in openness and transparency about the 
honours system versus the public interest in maintaining the 
relevant DPA98 exemption. 


The Commissioner did not accept that disclosure of the 
information would prejudice the operation of the honours 
system. The content of the information was significant here; it 
was essentially a recitation of the person’s achievements, and 
so disclosing it would not erode the safe space needed to 
consider the awarding of honours, or have a chilling effect on 
such discussions. 


On the other hand, concerns had been expressed elsewhere 
about the transparency and accountability of the honours 
system in general, and so disclosing information would help to 
address these. 


The Commissioner accepted that there was a public interest in 
maintaining the principle that information which was not 
accessible by the data subject should not be made public. This 
concerned the data subject’s privacy. However, the weight of 
the arguments was reduced because the content of the 


* Decision notice FS50223685 paragraphs 48-51 


information was benign, and so disclosure would not be unfair 
to the data subject. 


The result was that the public interest in maintaining the 
exemption did not outweigh the public interest in disclosure. 


If the outcome of the public interest test is that the information is 
disclosed, then this means that information which the data subject could 
not obtain themselves is released, not only to the FOIA requester but also 
to the world. 


It is important to remember that you must consider each case on the 
actual content of the information and in the circumstance at the time. 


Furthermore, when you release information under FOIA, it is in effect 
available to the data subject as well. In such a case, it may be helpful for 
you to also provide the information directly to the data subject at the 
same time. 


Other considerations 


If the information engages FOIA section 40(4A) or EIR regulation 13(3A), 
then the exemptions in FOIA sections 40(3A) or EIR regulation 13(2A) 
may also be relevant. 


Under these exemptions, you do not need to disclose information if this 
contravenes any of the data protection principles. This usually involves 
considering whether disclosure is lawful under principle (a) of the UK 
GDPR. These are absolute exemptions, unlike section 40(4A) and 
regulation 13(3A). 


When dealing with a request for third-party personal data, you may find it 
simpler to consider these exemptions concerning contravention of the 
principles, before looking at whether the information is exempt from the 
subject access right. Further advice on these exemptions is available in 


our guidance document on The exemption for personal information. 


If you apply the exemption at section 40(4A) or EIR regulation 13(3A) 
and consider that the public interest favours disclosure, you must still be 
satisfied that this disclosure does not contravene the data protection 
principles and that the information is not exempt under FOIA section 
40(3A) or EIR regulation 13(2A). This may be another reason to consider 
these other exemptions first. 


Other FOIA exemptions may also be relevant to information that engages 
section 40(4A). This is because some of the exemptions from the data 


subject’s right of access in the DPA relate to interests that are also 
protected by other FOIA exemptions, such as: 


e national security; 

e crime and taxation; 

e the conferring of honours; and 
e legal professional privilege. 


If information is exempt from the data subject’s right of access because of 
one of these DPA exemptions, it may also engage a corresponding 
exemption in FOIA. 


For further details about FOI exemptions and EIR exceptions please see 
‘Refusing a request’ in our Guide to freedom of information and our Guide 
to the EIR. 


More information 


We have developed this guidance drawing on ICO experience. It may 
provide more detail on issues that are often referred to the Information 
Commissioner than on those we rarely see. We will regularly review the 
guidance and keep it in line with new decisions of the Information 
Commissioner, tribunals and courts. 


It is a guide to our general recommended approach, although we will 
always assess individual cases on the basis of their particular 
circumstances. 


If you need any more information about this or any other aspect of 
freedom of information, please see our website www.ico.org.uk. 


